We currently have a PacketTunnelProvider providing a VPN connection to managed devices. Our profile locks this down with OnDemandEnabled and OnDemandUserOverrideDisabled set to true.
We've had reports of the OnDemand feature not kicking in on macOS when switching profiles or creating new profiles for managed users (but this works for the initial user login). When switching profiles, OnDemand does not enable; however, if the user manually enables the VPN and then disables, OnDemand will now correctly turn the connection back on.
The installed profile contains:
OnDemandEnabled: 1
OnDemandRules: Connect Action for WiFi, Cellular, and Ethernet
OnDemandUserOverrideDisabled: 1
From sysdiagnose logs, I see some interesting logs for nesessionmanager:
Handling a network changed event
Resetting VPN On Demand
Found 0 registrations for [...].PacketTunnel
Failed to find [...].PacketTunnel app extension using neagent
Plugin is not available in launch services
Plugin is not installed
(I also see some failures with LSApplicationProxy, but not sure if those are relevant.)
Eventually, I see:
Plugin is installed
Enabling VPN On Demand
And things seem to kick off more as expected from that point on.
Do we have any guidance on how to address this issue? We also have a ticket submitted with Feedback Assistant.
Thanks for those bug numbers.
I took a quick look and they’re both still open [1] and with the right folks. Unfortunately there’s not much more I can share here.
Based on info in the bug it seems that this problem reproduces with built-in VPN transports, like IKEv2. Does that gel with your experience? If so, that’s a strong indication that you’re not doing anything wrong here, and this is a bug that Apple will need to resolve.
Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"
[1] FB16432113 was marked as a dup of an internal bug, but that bug is still open.